In the last few years, two definitions gave entrepreneurs and business managers headaches: security and data protection. There is no security without data protection and no data protection without security. Here’s why these two definitions should always go together.
Living in the age of datafication
We live in the age of datafication and, as the world becomes more and more interconnected, the amount of personal raw data will increase significantly. If we analyze the definition of personal data in the GDPR, today, any data has the potential to be personal because, directly or indirectly, it can reach any person. Obviously, this should trigger some form of protection for us, as individuals, and for companies.
As a business manager or entrepreneur, it is natural to focus on one thing, namely compliance. At the moment, there are laws governing compliance, but we don’t have laws governing security. We have guidelines, ISOs, best practices, consultants, and professionals on security, but these are all in the optional category. However, legal frameworks like GDPR and CCPA sanction any security breaches.
This may lead to a paradox. One department can have documents about security without those who have to implement cybersecurity measures having any idea what they are.
The GDPR’s definition of a security breach clearly states that a personal data breach is a breach of security that unlawfully or accidentally results in the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. Based on this premise, a data breach is a breach of security. It is obvious that information security, the technical part, and personal data security cannot be separated; they are the same thing.
Security solutions are tools that help us ensure information security. Are there other solutions for personal data security? Most probably, no IT specialist would say that whatever security solution is used serves only one purpose: to protect personal data or ensure information security. They are basically the same thing. Most specialists sell these solutions separately. Try as we might, information security risks cannot be entirely eliminated; they can only be reduced.
Personal data is not in a box on a shelf in the organization—it is where the rest of the data is—and if we apply the definition of information security correctly, personal data will be protected as well.
The average cost of a data breach has now reached over $4 million
The average cost of a data breach has reached over $4 million, hitting a record high during the COVID-19 pandemic. According to IBM’s “Cost of a Data Breach” report, in 2021, a typical data breach experienced by companies now costs $4.24 million per incident, with expenses incurred now 10% higher than in 2020.
After analyzing data breaches reported by over 500 organizations, together with a survey conducted by Ponemon Institute, IBM says that the “drastic operational shifts” experienced by the enterprise prompted higher costs and increased difficulty in containing a security incident once it had taken place. These occurrences were due to the pandemic, stay-at-home orders, and the need to quickly turn processes remote.
When work from home was reported, so was an increase of up to $1 million more when a data breach occurred—with the highest rates of $4.96 million compared to $3.89 million.
Data breaches in the healthcare industry were the most expensive, at an average of $9.23 million, followed by financial services at $5.72 million and pharmaceuticals at $5.04 million.
GDPR Sanctions Exceeded $1 Billion in 2021
According to international law firm DLA Piper, the data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021.
This figure is taken from the law firm’s latest annual General Data Protection Regulation (GDPR) Fines and Data Breach Survey of the 27 European Union Member states plus the UK, Norway, Iceland, and Liechtenstein. This is nearly a sevenfold increase from last year’s total.
The highest GDPR fine to date is the one imposed by the Luxembourg National Commission for Data Protection (CNDP) for EUR746 million on a US online-based retailer, the biggest fine so far for non-compliance with the GDPR. This is more than 14 times higher than the previous largest GDPR fine (EUR50 million) imposed by France’s CNIL on Google.